Cafe owners are in trouble, and users who made online purchases may be next

Valve's STEAM content distribution system has been the target of no small share of bad press since it was created, with complaints ranging from apathetic customer service to the inability to play legitimately purchased games online. Some users have had their accounts locked, deleted, or hijacked - but a hacker known only as "MaddoxX" has just opened a rather sizeable can of worms.

According to a posting made on an anti-STEAM website, MaddoxX has bypassed Valve's security system and accessed a significant chunk of data, including:

Screenshots of internal Valve web pages

A portion of Valve's Cafe directory

Error logs

Credit card information of customers

Financial information on Valve

While only the Cafe owners appear to be in immediate danger, MaddoxX claims to "have shell access everywhere," and has posted a list of login details for accounts on the Valve servers. In addition, Maddox also reveals that private certificates for "People with a little bit of (sic) experience ... create their own 'fake' but working cafe / certificate."

It's not currently known how far-reaching the credit card breach is, but STEAM users who have purchased products online for electronic delivery would do well to keep an eye on their credit card statements for the next while, especially if MaddoxX makes good on a promise to release a "spreadsheet."

STEAM cafe owners worldwide are more than a little upset with the information already leaked. MaddoxX has posted emails received from cafe owners and operators:

Believe
me, nobody wants to 'stick it to Valve' more than those currently in
the cafe program. We're rubbing pennies together trying to make it from
month to month, while Valve is making millions off of us ...
All I ask is that you make some effort to edit cafe numerical details from any future release.

Please don't release the CC information, for the sake of the centers who are less informed.

MaddoxX does make one thing quite clear in his electronic manifesto:

If you want me to remove these files you can e-mail me at (address removed) and I prefer you come with something good unless you want me to expose ALL of the customers their information.

It seems that Valve is being held for ransom. If this is true, Valve may be in trouble, as California Senate Bill 1386 requires that credit card holders be informed of any breach of their information, and MaddoxX already knows exactly how much money they have available.

Update 04/19/2007: Doug Lombardi, director of marketing at Valve, contacted DailyTech with the following statement:

There has been no
security breach of Steam. The alleged hacker gained access to a third-party
site that Valve uses to manage the commercial partners in its Cyber
Café program. This Cyber Café billing system is not connected to Steam.
We are working with law enforcement agencies on this matter, and
encourage anyone with more information to e-mail us at
Catch_A_Thief@valvesoftware.com.

Comments

Threshold

Username

Password

remember me

This article is over a month old, voting and posting comments is disabled

it doesn't take much to hack into anything so many programs out that make hacking very easy. yes you need some talent in understanding whats going on when you see miles and miles of code steam gets hacked on a daily basses this one just got posted nothing online is safe when it comes to credit card numbers more than just 21 year old kids that can spoof an ip and bounce off of wingate servers around the world are after your credit cards i have seen it all hacked from windows servers,linux,bds,and even a few Dos from back in the day every program every OS has it's weak point hints why internet security is a billion dollor a year buisness and is still only about 70% safe if they want into your system it's a good chance they will get in ...my gripe is with steam not droping a popup window when this happend telling ppl to be carefull because there may or may not have been a breach in there software (like they do there new games and the ones on sale) so ppl could have the heads up when it happend someone got screwed out of all the CC# that where on there someone lost money and that is the fault of steam because a week after it happend they respond only because the guy posted something about itthey don't need to have him arrested they need to give him a job maybe then they will have someone who knows what the hell there doing... check your credit card statement if something looks fishy call a lawyer then call your bank you can't snatch this little kid up by the head because you don't know anything about him or her but you do know where steam is .. and since it's there problem and there fault stick it to them .. companies that do online banking will always be a target.. if the kid managed to get 1 dollor from every person with a steam account he would have maid 6-8 million dollors .. thats the big picture

"There's no chance that the iPhone is going to get any significant market share. No chance." -- Microsoft CEO Steve Ballmer